While it works, the catch is that it's tedious. But if you have to communicate and you need your communications to be 100% secure then you will either put up with the inconvenience of privacy or the interrogation room (your choice). Compared to the tedium of prison (or worse), it's a small price to pay but these days even small prices are too much for a lot of people; I hear otherwise smart people saying things on their cellphones that make me literally cringe and it's a laziness that some end up deeply regretting.
But anyway, back to the method.
OTP is especially good for long-term use since even if one of your keys is compromised, you only have one document exposed because each use of this approach calls for a new key. It's the "one time" part of the "One Time Pad." With digital encryption like PGP, if your key is compromised then someone can decrypt ALL the messages that were encrypted with that key, and that can get awkward.
To save time, I'll copy and paste (and give credit to) a writeup from a site that posted a how-to tutorial a few years back, and I recommend the site as a good place to browse for all sorts of interesting information. A lot of military personnel and LEOs hang there and exchange ideas and discuss tactics and such.
This is still a common tech; if you've ever turned on a shortwave radio and heard those strange Morse Code signals that don't seem to be real Morse Code, you were probably listening to OTP broadcasts from numbers stations.The following are all quotes taken from: http://www.itstactic...per-encryption/
The largest application of OTP has been on number stations; these unlicensed, mysterious shortwave radio stations began broadcasting during the Cold War and continue to this day. With a common, inexpensive hardware, an agent anywhere in the world can pickup a broadcast from their organization in an untraceable, uncrackable way. These stations often play musical introductions followed with either Morse code or voice recordings reading alphanumeric code. The Cornet Project has done an amazing job putting together 30 years of recordings of these stations and an informational booklet for free download. If you like spy games, be sure to check it out.
I’ll use the example of a Soviet spy. In Moscow, you are issued a tiny booklet of labeled random numbers sequences; this cryptographic key book is identical to one that number station operators have. You sew it into your suit and smuggle it into West Germany. While there, you purchase a shortwave radio and, in the privacy of your flat, listen to the predetermined time and frequency. After a series of beeps, you hear the jingle of music that verifies you are listening to the correct station.
A Russian voice comes on and gives you eight numbers (shown in the table below). Using the first two to identify which code to use, you combine your encrypted message with your key to decode the name of your contact, “Egorov”. You rip out the key booklet page and throw it in your fireplace.
Here is the example from above in math form. The encrypted text is what came over the radio, the key is what was in your book.
You take your encrypted text (01-03-09-07-24-11) and add the key from your book (04-04-06-11-17-11). Notice that position five the cipher text and the key sum to 15, not 41. Because there are only 26 letters, it “rotates” around to become 15 (24+17=41. 41-26=15). The encryption process at the number station simply took the message (EGOROV) and subtracted their random key from it, using the same rotating method for negative numbers.
If the key is scientifically random, in theory, the code is impossible to crack. This is because there is no correlation between how the first E is encrypted and the fifth, and a three letter code could just as easily be “CAT” or “DOG”.
An OTP key is used only once, and has a key as long as the message; if a key is reused, it is possible to mount a computational attack and crack it.
Done properly, no previous messages are compromised if a single key is broken (unlike AES or PGP). Furthermore, by keeping the entire process on paper, you minimize the number of mechanism that need to be secure, and thereby reduce the attack vectors.
With five minutes of training, you can apply this same system to your IM conversations, email, shortwave radio stations or SMS.
Lastly, humans intuitively understand how to hide and secure things, but only conceptually understand firewalls and SSL.
A limitation of OTP is that there’s a finite number of messages that can be sent before a new set of keys need to be exchanged. Furthermore, the key exchange has to happen out-of-band and typically in person; this makes the system more inconvenient compared to PGP or AES for computer network communications. Understanding these limitations and advantages, you can build out your own cryptographic implementation easily.
Building Your Own System
Step 1 – Decide on an Alphabet
First we need to figure out how to interpret decrypted messages as English. Often messages are converted into using numbers for their ease-of-calculation in OTP. Numbers don’t have to represent just letters, as in the previous example, but also numbers, symbols, words, and syntax. While this the alphabet is not sensitive, per se, it’s usually kept with your keys. Here is an example alphabet I’ve created for text messages.
Step 2 – Generate Your Key Book
Now we need to generate your key book to smuggle into West Germany. Unlike Hoover’s CIA, generating 10,000 new scientifically random numbers doesn’t take a room full of agents rolling dice for a week. RANDOM.org is a free service run by the computer science department at Trinity College in Dublin, Ireland; their random numbers are generated from atmospheric noise, and is as close an approximation to random numbers as you can get without a chunk of uranium and a Geiger counter.
Use their SSL-encrypted integer generator to collect your encryption keys. The safest ways to collect these are using Firefox Private Browsing Mode, Google Incognito‘s window, or encrypt your hard-drive. If you use spreadsheet software like Excel, be sure to disable autosaving if your hard-drive is unencrypted. Print this and give it to your comrade, preferably on a printer without secret serial number dots.
When you’re done, your key book will have pages of labeled two-digit numbers.
Step 3 – Transmit
When you transmit, you have lots of options available to you today your granddaddy didn’t. Your globally-connected encrypted pocket radio (cell phone) and SMS are fantastic systems, albeit expose your geographic location to the service provider. If you want to transmit a message to many people/agents, a Twitter or Blogger account posted to via Tor or a pre-paid cellphone create the modern day equivalent of a number station. In fact, there is at least one known bot net coordinated via an anonymous Twitter account (not encrypted, however).
That’s it, no more tools or training is required. While OTP certainly has its limitations, under the right circumstance it can outperform more sophisticated (and more difficult) cryptographic systems. Anyone with five minutes of training and a piece of paper can use the same tools the CIA, KGB, and Mossad use to conduct operations abroad. It’s up to you to learn how to apply these in your own situation, but remember that many times, the simplest tool in your arsenal is the most powerful.
Well there you have it. It's actually a lot easier that it seems at first. Just remember to only use a given key ONCE. And use a different key to respond to a message than the one used to send the message being responded to. It might be a good idea to generate many pages of keys and assign each page a code, then exchange them with your associates all at once. Then you can even use a secondary code for communicating which key to use, further complicating any attempts at cracking even if someone gets your key book.